Barracuda: Scammers Employ Low Payment Demands to Avoid Detection

Email fraudsters try to extort money from victims by threatening to release embarrassing or illicit material, target no more than 10 work email accounts at a time and make moderate payment demands to stay under the radar – according to Barracuda, a trusted partner and leading provider of cloud-enabled security solutions.

Conducted by researchers at Columbia University (US) and analysing 300,000 emails detected as blackmailing scams over a period of 12 months in Asia and worldwide by Barracuda AI-based detectors, the research aimed to uncover the financial infrastructure attackers use for extortion emails.

Detailed in Barracuda’s most recent Threat Spotlight, the research revealed how scammers making payment demands of around USD$1000 in Bitcoin, are able to stay under the radar and avoid alerting potential victims, security teams and payment systems.

Extortion attacks threaten to expose compromising information, such as photos, videos, or details of illicit online activity, unless the victim pays the attackers – generally in a cryptocurrency such as Bitcoin.

Understanding the Attack Model
The team at Columbia grouped the extortion emails by the Bitcoin wallet addresses in them. They assumed that an attacker would use the same Bitcoin wallet for all their attacks so that one wallet = one attacker. The team found 3,000 unique Bitcoin wallet addresses. Of these, 100 wallets appear in 80% of the emails. This suggests that a relatively small number of attackers were responsible for most of the extortion emails.

The team also looked at the “sender” email fields for each extortion email. They assumed that an attacker would use the same account for all the emails distributed in a single attack but might use a different account for another attack, and so on. The team found that 97% of sender accounts sent out fewer than 10 attack emails each. 90% of the attacks demanded payments of less than $2,000 USD in Bitcoin.

“Our analysis suggests that extortion scams are implemented by a relatively small number of perpetrators, each firing off multiple small-scale attacks with moderate extortion demands,” said Asaf Cidon, Associate Professor of Electrical Engineering at Columbia University.

“These relatively modest sums make it likelier the targets will cooperate with the extortion, and the relatively small number of emails per sender makes it easier for attackers to evade detection by traditional security technologies and anti-fraud measures at payment providers and avoid arousing the attention of law enforcement and the media – which would alert potential victims to the scam.”

“Extortion attacks need to be taken seriously by security teams, especially when they are targeting people through their work email accounts,” said Mark Lukie, Director of Solution Architects (APAC) at Barracuda.

“How did the attacker get hold of the account details, for example – were they exposed or stolen at some point? Or does it mean that the recipient has used their work account and device for inappropriate activity such as visiting questionable websites? Both scenarios have security implications for the company – and for the target. This can be embarrassing and distressing and can potentially make it more likely a victim will pay.”

According to Barracuda, there are some important steps that security teams can take to keep employees and the wider organisation protected from extortion scams. These include investing in AI-powered email security that can detect and block such emails before they reach the intended recipient and prevent attackers from seizing control of accounts and use the company as a base to launch other attacks. This should be coupled with employee training and security policies that discourage staff from using their work email to access third-party sites or to store sensitive, personal material on work devices – but which also provide them with a safe and confidential place to report an incident.